Let's talk about security

[BernyJB]

but if a guy robs me through my computer I'm helpless. I don't like the feeling.

He'd rob you if he ever found out you own cryptocurrencies. If he didn't, you wouldn't be his prey. So, it's a matter of privacy.

Semantics.
If he knew I had all the cryptocurrencies in the world and couldn't touch me, he wouldn't, and the knowledge would be useless to him.

I don't belong to that "group", so I can only go by what I read or hear.

That's why I said it's stereotypical. There's no evidence that Argentina has the greatest hackers in sum neither that the Argentines are used to make damage. Just stereotypes.

I'm Argentinian, currently living in Buenos Aires. I never said Argentinian hackers are the greatest, I said they're considered to be among the best.
About doing damage, trust me, they're nasty. I can't possibly give you a marginally accurate picture of what living in here means. Let's just say I'd rather be anywhere else.

No such thing as impossible. Tor obfuscates your identity, to the point even US 3-letter agencies have been unable to crack it.

So why did you want to add another “layer” of privacy protection (VPN) in front of it? You said it yourself; Tor obfuscates your identity to a high degree.

For what I read (again, remember I'm far from an expert), Tor obfuscates your entry point to the network, but the exit node can still be used to track you. Adding a VPN is said to close the circle.

[1714094173]

1714094173

[1714094173]

1714094173

[1714094173]

1714094173

[1714094173]

1714094173

[mindrust]

I don't live under US law, so if the FBI wants my data, they can ask me, no problem.

^Here is the big illusion...

Everybody lives under the US law.

Everybody.

[BernyJB]

I don't live under US law, so if the FBI wants my data, they can ask me, no problem.

^Here is the big illusion...

Everybody lives under the US law.

Everybody.

Heh. That's what Americans think.

[larry_vw_1955]

As usual, you guys are very informative. Thanks to all.

larry_vw_1955: I'm not really worried about the tax collectors. One of the (very few) good things about living in a lawless country is you don't really have any obligation to pay taxes, and nobody can do anything to you if you don't. The downside is you have to fend for yourself, because the police is just as non-existent as the tax agency.

The reason I'm worried about security is twofold: first, Argentinian hackers are said to be among the best (not surprisingly, considering Argentinians generally have  penchant for doing damage), and second, if you do get hurt (physically or financially or whatever), nobody protects you, you're screwed. The law here is so twisted that if you defend yourself, you go to prison.

If the police are non-existent then how could you go to prison that's kind of confusing. or maybe you're saying the police only show up when you don't need them. i could understand that maybe.

[n0nce]

I personally, since a long time, either look up addresses over the Tor version of blockchain explorers, or just use my own Bitcoin node.

Why do you think using the TOR version is safer? Couldn't that be a great honeypot as well? Someone creates a TOR-only blockchain explorer that logs addresses. Your IP is protected, that's true. Unless the TOR server you are connected to is also malicious.

Well, when I use Tor Browser and use the Tor version of the website, it won't see my home IP. The Tor blockchain explorer can log anything it wants; they won't see my home IP address and also every time I restart Tor Browser or open a new tab, I have a new Tor IP as well (at least when restarting). An attacker would need access to lots of Tor nodes to map my identity to the query on the website.

It's not as good as just asking your own home node locally, but if you don't have one, it's better than clearnet https://blockchair.com/ for example.

But the topic is security; and there it's simplest and safest to have a dedicated device for holding your keys.

Why don't he just hold the seed phrase instead of the keys when we are no more in the nondeterministic (random) wallets era and now in deterministic (seeded) wallets era. This can still make this simple by backing up the seed phrase (which can generate the keys and addresses), the seed phrase can easily be backup on laminated paper or on metallic sheet.

Sorry, I always mean seed words when I say 'keys'! Of course it's not technically correct anymore and it's definitely better (in most cases) to save the seed words instead, since we can derive many many private keys and addresses from one such seed.

If you want to protect your privacy you'll have to change your relay circuit every time.

I'm sorry, I was way too unspecific. When I can't access a node of mine to query my balances and transactions, I start up Tor Browser and use a Tor block explorer. Tor Browser gives me a new relay circuit every time indeed; and as said above, it's hard to trace the query back to myself due to Onion routing (it's in the name! ) as well.

I'm setting up to use Binance.

You might want to check out a decentralized, KYC-free, open-source exchange that runs completely over Tor by default, by the way.. not sure it has enough liquidity in your country, though. https://bisq.network/

[Pmalek]

For what Tor server are you talking about?

Not a particular one. I am just assuming that in the same way that a three-letter agency can set up and run their own Electrum servers, they might be able to set up and run their own TOR routers to examine the traffic that runs through them and take a closer look at those individuals that might be of interest to them.

[mindrust]

I don't live under US law, so if the FBI wants my data, they can ask me, no problem.

^Here is the big illusion...

Everybody lives under the US law.

Everybody.

Heh. That's what Americans think.

I am not American though.

I've seen what they did to McAfee. His crime was avoiding his taxes. He got pwned in Spain. Died in a cell. I've never heard of a German guy that avoided his taxes getting pwned in the US by the German officers.

There were other examples too. Another one was the owner of btc-e. He got pwned in Greece... by the FEDs. How is that possible?

[Pmalek]

I've seen what they did to McAfee. His crime was avoiding his taxes. He got pwned in Spain. Died in a cell.
...
There were other examples too. Another one was the owner of btc-e. He got pwned in Greece... by the FEDs. How is that possible?

I don't know who the other guy you mentioned is, but McAfee was certainly a much bigger player than OP is. The person that "had an accident" in Greece was of a similar caliber probably. McAfee kept running his mouth against the government, kept criticizing. Wasn't there a time when he was considering running for president and he promised to make crypto an integral part of his campaign? He was a very controversial character indeed.   

[BlackHatCoiner]

For what I read (again, remember I'm far from an expert), Tor obfuscates your entry point to the network, but the exit node can still be used to track you. Adding a VPN is said to close the circle.

The exit node can't track you if you're connecting to an onion service. The exit node can only read the message if you're connecting to a .com, .org, .net etc. (clearnet) which can then be used to track you.

Not a particular one. I am just assuming that in the same way that a three-letter agency can set up and run their own Electrum servers, they might be able to set up and run their own TOR routers to examine the traffic that runs through them and take a closer look at those individuals that might be of interest to them.

But, they can't read the message if it's an onion service. Yeah, they may know you're using Tor and that you're also visiting a block explorer, but they can't know what you're viewing. This is only known by the one who runs the onion service. So, unless every Tor node is a honeypot AND the block explorer is ran by surveillance agencies, you're fine.

[o_e_l_e_o]

For what I read (again, remember I'm far from an expert), Tor obfuscates your entry point to the network, but the exit node can still be used to track you. Adding a VPN is said to close the circle.

Tor obfuscates your entry and exit point to the network. Your exit node can only track you if they are also controlling your entry node and can link your entry and exit traffic between the two nodes, effectively mounting a Sybil attack.

If this is a concern of yours, then you could consider connecting to your VPN first, and then connecting from your VPN to Tor, effectively using your VPN server as an entry node in to the Tor network. If your Tor nodes are malicious, then they could only track you back to your VPN server, and not to your real IP address.

You should never connect to Tor first and then to your VPN, since that defeats the entire point of using Tor. All your anonymized traffic which has been passed through various Tor nodes and circuits would then all pass through a single VPN server and therefore all be linked back together.

[COBRAS]

Without tor your ip adress then making trasactions is saved to blockchain, so if you for ex from Japan, then your wallet.dat password probably in Japan language too.... etc...

[Pmalek]

But, they can't read the message if it's an onion service. Yeah, they may know you're using Tor and that you're also visiting a block explorer, but they can't know what you're viewing. This is only known by the one who runs the onion service. So, unless every Tor node is a honeypot AND the block explorer is ran by surveillance agencies, you're fine.

Every TOR node doesn't need to be, but a few of them could. They could also be getting data from certain block explorers who would gladly sell it to them or hand it over for free depending on their agreement.

Tor obfuscates your entry and exit point to the network. Your exit node can only track you if they are also controlling your entry node and can link your entry and exit traffic between the two nodes, effectively mounting a Sybil attack.

Is this a risk worth thinking about? How many entry and exit node combinations exist on the TOR network? Do the numbers change and increase regularly or are they more or less the same for years?

[ABCbits]

Without tor your ip adress then making trasactions is saved to blockchain

1. The IP address isn't stored on blockchain, unless you meant blockchain.com the block explorer?
2. IP address shown by blockchain.com is IP of the node which relay the transaction to blockchain.com node. It's unlikely the sender run full node and directly connected to blockchain.com node.

Tor obfuscates your entry and exit point to the network. Your exit node can only track you if they are also controlling your entry node and can link your entry and exit traffic between the two nodes, effectively mounting a Sybil attack.

Is this a risk worth thinking about? How many entry and exit node combinations exist on the TOR network? Do the numbers change and increase regularly or are they more or less the same for years?

Read this (https://tor.stackexchange.com/a/114) and make your own conclusion. As for me, i would worry about something else.

[Pmalek]

Read this (https://tor.stackexchange.com/a/114) and make your own conclusion. As for me, i would worry about something else.

Good source, thank you.

I did find some parts in that discussion quite interesting. For example, here is a quote from one of the replies:

Some exit relays are considered as bad exits. They might listen in your traffic, change your traffic etc. Tor does not choose them (as long as you don't explicitly allow it).

How would TOR know that some exit nodes are "bad" and have ways to monitor or manipulate the traffic routed through them? And if they have such knowledge, why are those nodes not removed and blacklisted?

I find this segment interesting as well:

Operators who run more than one relay should declare those relays their 'family' (There is a special option in the configuration). Tor doesn't choose more then one relay from a family.

The emphasis is on "should". They didn't say "must" or "have to", but you have the option to do it or not.

Nothing of the above seems worrying to me either, but still interesting to think about... 

[o_e_l_e_o]

How many entry and exit node combinations exist on the TOR network? Do the numbers change and increase regularly or are they more or less the same for years?

You can take a look at the data here: https://metrics.torproject.org/networksize.html?start=2007-01-01&end=2021-11-08

As you can see, the number of Tor relays has stayed fairly consistent at between 6000 and 7000 for the last 6+ years. Also note that when you use Tor, your browser picks one of three guard nodes, each with a lifetime of approximately 120 days. It is only the middle and exit nodes which change whenever you request a new circuit or after you've used the same circuit for 10 minutes. So given that you will be using the same guard node for a period of time, then you have around 6000-7000 possible entry/exit combinations.

[vv181]

Some exit relays are considered as bad exits. They might listen in your traffic, change your traffic etc. Tor does not choose them (as long as you don't explicitly allow it).

How would TOR know that some exit nodes are "bad" and have ways to monitor or manipulate the traffic routed through them?

A few resources about how they did it:

Bad relay work and:

Do you actively look for bad relays?

Yes. For our automated issue detection see exitmap and sybilhunter.

Other monitors include tortunnel, SoaT, torscanner, and DetecTor.

And if they have such knowledge, why are those nodes not removed and blacklisted?

As on Criteria for rejecting bad relays, in short, there is a difference between misconfigured exit relays and malicious relays, the former will not be directly removed from the network since it rather can be used as a guard(entry) or middle relay, and the latter, it will immediately be removed.

[BernyJB]

If the police are non-existent then how could you go to prison that's kind of confusing. or maybe you're saying the police only show up when you don't need them. i could understand that maybe.

Best of luck. NOBODY can understand my country.  
We're talking about a country that elects a vice president while she's under indictment on several different charges, high treason among them. https://en.wikipedia.org/wiki/Cristina_Fern%C3%A1ndez_de_Kirchner#Legal_charges

Let me give you a couple of pointers:

A few years ago, a guy saw 3 thugs break into his business (a convenience store) that was just across the street from his house. So he took his (legally owned) gun, crossed the street, and shot the burglars down. The guy went to prison because his permit didn't allow him to take his gun to the street, so it was "illegal carry". None of the 3 burglars died, and none of them was even indicted.

In 2017 or 2018, a guy was working as a security guard in a warehouse. He was armed with a "Ballester-Molina" pistol, similar to a Colt 1911.
A group of guys broke in. A gunfight ensued. He managed to kill one of the guys, and wounded a few more. In the process, he was wounded.
He was arrested because he was "carrying without a license", and his boss denied even knowing him, even when he could (and did) prove he was working for him, and he had provided him with the weapon. Again, none of the burglars was even charged.

in 2019, I was walking one night along one of Buenos Aires' most important streets (9 de Julio Avenue), when I saw a guy laying down on the sidewalk, handcuffed and squealing like a dying pig, surrounded by about a dozen cops. I kept on walking, as I was going to work  at a mcdonald's store about 100ft. away, and knew damn well I was gonna learn what happened soon enough. About 2 hours later, a couple of cops showed up.
The guy had been caught red-handed having beat up a girl right outside a university, and trying to rape her. The girl was sitting in the side, all bruised, waiting on the ambulance to show up.
So I talked to the cops. They had called the prosecutor, and when he learned the guy was homeless, he refused to prosecute him. they had to let him go.  

Now tell me: you really think you can understand that?

Thank you n0nce, I'll check it out.
The good thing about Binance is it allows me to buy directly in ARS, which is very convenient, especially considering Argentinian money is as volatile as cryptocurrencies...  

[BernyJB]

I am not American though.

I've seen what they did to McAfee. His crime was avoiding his taxes. He got pwned in Spain. Died in a cell. I've never heard of a German guy that avoided his taxes getting pwned in the US by the German officers.

There were other examples too. Another one was the owner of btc-e. He got pwned in Greece... by the FEDs. How is that possible?

Yeah, McAffee had it coming.
On the other hand, Gottfrid Svartholm, Fredrik Neij, and Peter Sunde fought tooth and nail against the US justice system. After years lobbying the Swedish government, they finally filed charges against them, and they got arrested. They spent a few years in prison, and now they're free as birds, and nobody can touch them. And The Pirate Bay never got offline, and it's running today, stronger than ever.

In the meantime, the MPAA started a war against the Yify torrent site, and its owner, Yiftach Swery. They shut down the original site, and literally HUNDREDS of mirror sites popped up. Since, Swery retired, and Yify changed name to YTS. Still going strong.

Thank you all for the replies. Last night I realized I had been overcomplicating things. I don't need Tor, and chances are I don't need Tails (which is proving to be a pain in the rear to set up) either. If I'm running a wallet offline, I'm already safe. I'm thinking about using it together with a number of paper wallets, and I should be ok.

[titular]

I tried to post this on the "Serious Discussion" board, as it doesn't necessarily pertains to Bitcoin, but couldn't do it. Sorry. 

So, as I stated before, I've been doing a lot of research, while getting ready to start investing. Not surprisingly, I learned that there are a lot of criminals preying on crypto investors.
Now, money is (courtesy of, among other things, the damn pandemic), very tight. I've been looking at ways that may be within my means (or lack thereof) to make my investments as secure as possible.
So far, I'm looking at using 3 operating systems (Fedora Linux for my main activity online, most likely with Tor, Windows 8.1 inside a virtual machine for information and monitoring purposes only, and Tails with Tor for coin cold storage).
My question would be, initially, about VPN's.

Would using Tor over a VPN be a good idea for crypto trading? I understand (to a point) the advantages of such a setup, but would it provide any real advantages in this case? Is it worth the extra expense?
I know Linux is generally (not 100%) immune to malware, but I'm particularly worried about phishing and keyloggers. In the meantime, I have installed ClamAV already, and I'm keeping as secure as I can. Am I overthinking it?

Using a VPN with tor is generally only recommended if you can configure it properly. If not, you are likely not doing yourself any favors.

Tails w/Tor for cold storage is a must though.

[o_e_l_e_o]

Tails w/Tor for cold storage is a must though.

Cold storage should never be online, in which case you don't need Tor. If your device is online, even if all your traffic is being routed through Tor, then it's not cold storage.

Unless of course you mean using Tails as cold storage on a permanently airgapped device, transferring your signed transactions to an online device via QR code or USB drive, and then broadcasting them via Tor, in which case I agree.